National Cyber Warfare Foundation (NCWF) Forums


Metasploit Weekly Wrap-Up 10 25 2024


0 user ratings
2024-10-25 19:36:08
milo
Red Team (CNA)

Hackers and Vampires Agree: Every Byte Counts


Headlining the release today is a new exploit module by jheysel-r7 that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 is an arbitrary file read used to determine the version and layout of the glibc library, and the second,



Hackers and Vampires Agree: Every Byte Counts


Metasploit Weekly Wrap-Up 10/25/2024

Headlining the release today is a new exploit module by jheysel-r7 that chains two vulnerabilities to target Magento/Adobe Commerce systems: the first, CVE-2024-34102 is an arbitrary file read used to determine the version and layout of the glibc library, and the second, CVE-2024-2961 is a single-byte buffer overflow, and it is impressive what can be done with a single byte. By creating an intricate heap layout though specific memory allocation calls in php, an attacker can groom the heap contents in such a way that they can use the single-byte overflow to change a flag in the custom_heap structure, which then results in a system call containing arbitrary data.


New module content (1)


CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)


Authors: Charles Fol, Heyder, Sergey Temnikov, and jheysel-r7

Type: Exploit

Pull request: #19544 contributed by jheysel-r7

Path: linux/http/magento_xxe_to_glibc_buf_overflow

AttackerKB reference: CVE-2024-34102


Description: Adds a new module exploit/linux/http/magento_xxe_to_glibc_buf_overflow which uses a combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961) to gain unauthenticated Remote Code Execution on multiple versions of Magento and Adobe Commerce, including versions less than 2.4.6-p5.


Enhancements and features (2)



  • #19536 from GhostlyBox - Updated the post/windows/gather/enum_unattend.rb module to now include checks for '.vmimport' files which may have been created by the AWS EC2 VMIE service which will contain cleartext credentials.

  • #19567 from bcoles - Adds default vendor passwords for common single-board computers (SBCs) to wordlists.


Bugs fixed (4)



  • #19571 from sjanusz-r7 - Fixes an issue that stopped users from using navigational arrow keys in msfconsole on newer Windows 11 installs.

  • #19572 from cdelafuente-r7 - Fixes an issue in the UPDATE action of admin/ldap/ad_cs_cert_template.

  • #19576 from adfoster-r7 - Fixes crash when importing a Metasploit xml file with Ruby 3.2 and above.

  • #19577 from adfoster-r7 - Fixes a crash when running the shell command with a Meterpreter session.


Documentation


You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.


Get it


As always, you can update to the latest Metasploit Framework with msfupdate

and you can get more details on the changes since the last blog post from

GitHub:



If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.

To install fresh without using git, you can use the open-source-only Nightly Installers or the

commercial edition Metasploit Pro




Source: Rapid7
Source Link: https://blog.rapid7.com/2024/10/25/metasploit-weekly-wrap-up-10-25-2024/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.